- New Group Policy settings in Windows 11 23H2 - Mon, Nov 20 2023
- Windows Server 2025 will support SMB over QUIC in all editions - Fri, Nov 17 2023
- Switch between Windows Terminal and the legacy console - Thu, Nov 16 2023
In many companies, it is a common practice to block USB devices across the board or at least ban certain types of devices. If you don't want to use third-party tools for this purpose, then this goal can also be achieved with certain limitations via group policies.
If such a strict policy cannot be implemented, for example, because external drives are required for data exchange, then at least it is possible to ensure that the data on these media is not readable by unauthorized persons. Starting from Windows 7, BitLocker To Go has taken over this task.
By default, users of the Pro and Enterprise editions can encrypt USB drives themselves by executing the corresponding command from the context menu of the drive or by starting this process in the Control Panel under System and Security > BitLocker Drive Encryption.
By default, users can encrypt USB drives themselves with BitLocker
Centralized configuration of key parameters
In centrally managed environments, however, you wouldn't leave it to the end users to decide whether to encrypt data. In addition, when organizations don't manage BitLocker To Go centrally, users have to make decisions that may affect the smooth and efficient use of the feature. This applies, for example, to the encryption method or the way recovery keys are backed up.
By default users have to take care of storing the key themselves
This selection can be made by the administrator via group policies, thus ensuring that the recovery keys are not lost or improperly stored. The same applies to the option of encrypting the entire storage space or only the used storage. The latter saves time, but previously existing and now deleted data would be unprotected.
Without group policies applied to configure BitLocker the user decides on the encryption method
Enforcing encryption
The BitLocker To Go settings can be found under Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives. To force the encryption of external drives, activate Deny write access to removable drives not protected by BitLocker.
This option prevents users from storing data on unencrypted removable data drives
However, this setting does not cause BitLocker to automatically activate and encrypt the data in the background when a user plugs the USB device into the computer. Rather, it tells the user that data can only be saved after BitLocker has been activated.
Users can start BitLocker To Go from the wizards notification dialog bo
This dialog box offers to encrypt the drive. It starts the same wizard as the abovementioned command from the disk's context menu. However, you can hide some steps from the user by configuring additional group policies.
Skipping wizard dialog boxes
This includes the setting Enforce drive encryption type on removable data drives. It is used to specify whether the entire storage or only the used space should be encrypted.
Specify the type of encryption via GPO
In addition, you can specify the encryption algorithm in the global BitLocker settings with Choose encryption drive method and cipher strength (Windows 10 [version 1511] and later). There are also analogue options for other Windows versions.
Specifying the algorithm for encryption via GPO
A very important point concerns the question of how and where the recovery keys are to be saved. Without a group policy, the user can choose between saving the keys to a file or printing them out. If you leave it that way, you can expect requests to the helpdesk about lost keys or a lack of security.
Saving recovery keys in AD
In managed environments, the recovery keys are stored in Active Directory instead. This is done through the setting Choose how BitLocker-protected removable drives can be recovered. The procedure is the same as for boot drives, which we have described here.
This option can be used to hide the dialog box for saving the recovery keys
If the option Omit recovery options from the BitLocker setup wizard is checked, the abovementioned dialog box for saving the key is skipped, and users will not be able to save it themselves.
Marking the data drives with the ID
However, the problem of lost recovery keys can still occur if a user encrypted a USB stick with BitLocker before the GPO was put in place and backed up the key himself. To prevent the user from continuing to store data on it, you can mark the drives with an organization ID.
The setting Provide the unique identifiers for your organization is responsible for this. It provides each removable drive with the corresponding ID. This can be any value up to 260 characters.
In addition, you need to activate the option Do not allow write access to devices configured in another organization (it's part of the setting Deny write access to removable drives not protected by BitLocker mentioned earlier).
The organization ID can be used to further restrict the permitted devices
In addition to your own ID, you can also enter other IDs separated by commas under the Allowed BitLocker identification field in order to permit these devices.
Password policy
Finally, you can define your own rules for BitLocker To Go passwords, for example, to increase the minimum length from the default eight characters. The setting Configure use of passwords for removable data drives will do this. The complexity requirement assumes that a password policy has been configured for the domain.
Options to enforce strict passwords for BitLocker To Go
Another useful function to secure encrypted USB drives is provided by Control use of BitLocker on removable drives. By deactivating the option Allow users to suspend and decrypt BitLocker protection on removable data drives, you ensure that they cannot remove BitLocker.
Protect BitLocker To Go from being deactivated by users
Conclusion
BitLocker To Go is the onboard tool of choice for encrypting USB media. However, without central configuration, it is left to the user's discretion whether and when to use this feature. Moreover, it is then up to them to store recovery keys or to choose an appropriate encryption method.
To ensure reliable data protection, most organizations delegate these tasks to the admin team, who can enforce the desired settings through group policies.
Subscribe to 4sysops newsletter!
But this does not make BitLocker To Go a completely transparent and automatic solution. However, centralized administration will help to simplify the use of the feature significantly.
Read the latest IT news and community updates!
Join our IT community and read articles without ads!
Do you want to write for 4sysops? We are looking for new authors.
Hi,
Do you know, if i save my recovery-key top ActiveDirectory and reinstall the pc (and rejoin the Domain with same Hostname) where the stick was encrypted, would the Recovery-key bei lost?
If you just reset the computers account password, everything else should stay as is. This is a very common situation, you may have a lose of trust or similar issue.
Will a standard user be able to encrypt a usb drive presented to a domain computer with WIN 10 20H2 or local admin rights will be needed? In https://security.stackexchange.com/questions/179763/bitlocker-without-admin-privileges one reads that for WIN 10 : “To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local Administrators group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives” Can you confirm?
Yes, a standard user can encrypt USB drives.
I've found that if I plug in a removable drive encrypted with Bitlocker To Go, the drive is write protected or read only, even after entering the password. Do you know how to get around this? I believe there may be a Group Policy or Registry Entry forcing this, but I cannot find it. Any help is appreciated.
If you encrypt all usb drives, is there a way to exclude certain usb drives based on vendor/product ID so that a specif type don’t get encrypted?
Does anyone have an answer ByDesign1977’s question… If you encrypt all usb drives, is there a way to exclude certain usb drives based on vendor/product ID so that a specif type don’t get encrypted? Thanks in advance.